Documentation
¶
Overview ¶
Package security provides cryptographic utilities and PGP and AES encryption/decryption functionality.
It offers functions for generating cryptographically secure random bytes and passwords, hashing data using SHA256, MD5, and xxHash algorithms, and deriving keys from strings.
The package also includes the PGPCipher struct, which leverages the gopenpgp library to perform PGP encryption and decryption with both public/private key pairs and passphrase-based methods.
Key features:
- Secure random byte generation and base64 encoding
- Password generation with customizable character sets
- Hashing functions: SHA256, MD5, and xxHash
- Reading and saving passphrases securely to files
- PGP encryption/decryption with support for:
- Public key encryption
- Private key decryption
- Passphrase-based encryption and decryption
- Key pair generation with user identity and high security settings
- Convenient methods to load keys from files or strings
This package is designed for use cases requiring cryptographically secure operations and OpenPGP-compatible message encryption in Go applications.
Index ¶
- func DeriveArgon2Base64Key(secret string, salt string) string
- func DeriveArgon2Key(secret string, salt string) []byte
- func DeriveBase64Key(secret, salt string) string
- func DeriveKey(secret, salt string) []byte
- func GenerateRandomPassword(length int) (string, error)
- func GenerateSelfSignedCertificate(subject pkix.Name) (tls.Certificate, *x509.CertPool, error)
- func GetRandomBytes(size uint) ([]byte, error)
- func GetRandomBytesBase64(size uint) (string, error)
- func IsCertificateExpired(cert tls.Certificate) (bool, error)
- func LoadCACertPool(caFile string) (*x509.CertPool, error)
- func LoadCertAndConfig(certFile, keyFile, caFile string, clientAuth tls.ClientAuthType) (*tls.Config, error)
- func LoadCertificate(certFile, keyFile string) (tls.Certificate, error)
- func Md5(v any) string
- func NewTLSConfig(cert tls.Certificate, caPool *x509.CertPool, clientAuth tls.ClientAuthType) *tls.Config
- func ReadOrSavePassphrase(file string, length int) ([]byte, error)
- func SHA256(inp []byte) string
- func StringToKey32(inp string) string
- func StringToKey32Bytes(inp string) []byte
- func ValidateCertificate(cert tls.Certificate) error
- func WriteCertificate(cert tls.Certificate, certPath, keyPath string) error
- func XX(inp []byte) uint64
- type AesCipher
- func (a *AesCipher) Decrypt(ciphertext string, out io.Writer) *AesCipher
- func (a *AesCipher) Encrypt(plaintext string, out io.Writer) *AesCipher
- func (a *AesCipher) WithAES128() *AesCipher
- func (a *AesCipher) WithAES192() *AesCipher
- func (a *AesCipher) WithAES256() *AesCipher
- func (a *AesCipher) WithPassphrase(passphrase []byte) *AesCipher
- type PGPCipher
- func (p *PGPCipher) Decrypt(ciphertext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) DecryptWithPassword(ciphertext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) DecryptWithPrivateKey(ciphertext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) Encrypt(plaintext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) EncryptWithPassword(plaintext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) EncryptWithPublicKey(plaintext []byte, out io.Writer) *PGPCipher
- func (p *PGPCipher) GenerateKeyPair(name, email string) error
- func (p *PGPCipher) GetPrivateKey() (string, error)
- func (p *PGPCipher) GetPublicKey() (string, error)
- func (p *PGPCipher) WithPassphrase(passphrase []byte) *PGPCipher
- func (p *PGPCipher) WithPrivateKey(key string) *PGPCipher
- func (p *PGPCipher) WithPrivateKeyFromFile(filePath string) *PGPCipher
- func (p *PGPCipher) WithPublicKey(key string) *PGPCipher
- func (p *PGPCipher) WithPublicKeyFromFile(filePath string) *PGPCipher
- type RSACipher
- func (r *RSACipher) Decrypt(ciphertext []byte) ([]byte, error)
- func (r *RSACipher) Encrypt(plaintext []byte) ([]byte, error)
- func (r *RSACipher) ExportPrivateKey(passphrase []byte) ([]byte, error)
- func (r *RSACipher) ExportPublicKey() ([]byte, error)
- func (r *RSACipher) GenerateKeyPair(bits int) *RSACipher
- func (r *RSACipher) GetKeySize() int
- func (r *RSACipher) GetPrivateKey() *rsa.PrivateKey
- func (r *RSACipher) GetPublicKey() *rsa.PublicKey
- func (r *RSACipher) LoadPrivateKey(pemData []byte, passphrase []byte) *RSACipher
- func (r *RSACipher) LoadPrivateKeyFromFile(path string, passphrase []byte) *RSACipher
- func (r *RSACipher) LoadPublicKey(pemData []byte) *RSACipher
- func (r *RSACipher) LoadPublicKeyFromFile(path string) *RSACipher
- func (r *RSACipher) SavePrivateKey(path string, passphrase []byte) *RSACipher
- func (r *RSACipher) SavePublicKey(path string) *RSACipher
- func (r *RSACipher) Sign(data []byte) ([]byte, error)
- func (r *RSACipher) Verify(data []byte, signature []byte) (bool, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DeriveArgon2Base64Key ¶ added in v1.6.0
DeriveArgon2Base64Key returns a base64-encoded version of the Argon2-derived key.
func DeriveArgon2Key ¶ added in v1.6.0
DeriveArgon2Key derives a key from the given secret and salt using Argon2id.
- Uses Argon2id, the recommended variant of Argon2 for password hashing and key derivation.
- Parameters: 4 iterations, 64 MB memory (64*1024 KB), 4 threads, 64-byte output.
- Prefer Argon2 over PBKDF2 when higher resistance to GPU/ASIC attacks is required, as Argon2 is designed to be memory-hard and more secure against such attacks, but note that it requires significantly more memory than PBKDF2.
func DeriveBase64Key ¶ added in v1.6.0
DeriveBase64Key returns a base64-encoded version of the PBKDF2-derived key.
func DeriveKey ¶ added in v1.6.0
DeriveKey derives a 64-byte cryptographic key from the given secret and salt using PBKDF2. Parameters:
- secret: the source material (e.g., password) to derive the key from.
- salt: a cryptographic salt to ensure uniqueness of the derived key.
Returns:
- a 64-byte derived key as a byte slice.
Security parameters:
- 500,000 iterations of PBKDF2 using SHA-512 as the hash function.
func GenerateRandomPassword ¶
GenerateRandomPassword generates a random password of the specified length
func GenerateSelfSignedCertificate ¶
GenerateSelfSignedCertificate generates a self-signed certificate and private key. It returns the certificate, CA pool, and any error encountered. The certificate is valid for 1 year and can be used for both client and server authentication.
func GetRandomBytes ¶
GetRandomBytes Generates random Bytes using crypto/rand which is significantly slower than math/rand but cryptographically secure. This Should be used whenever cryptographic keys should be generated.
func GetRandomBytesBase64 ¶
GetRandomBytesBase64 Returns the Base64 Encoded Equivalent of calling GetRandomBytes.
func IsCertificateExpired ¶
func IsCertificateExpired(cert tls.Certificate) (bool, error)
IsCertificateExpired returns true if the given certificate is expired.
func LoadCACertPool ¶
LoadCACertPool loads a CA certificate pool from the given PEM file.
func LoadCertAndConfig ¶
func LoadCertAndConfig(certFile, keyFile, caFile string, clientAuth tls.ClientAuthType) (*tls.Config, error)
LoadCertAndConfig loads certificate, CA certs, and returns a configured *tls.Config.
func LoadCertificate ¶
func LoadCertificate(certFile, keyFile string) (tls.Certificate, error)
LoadCertificate loads a TLS certificate from the given cert and key file paths.
func NewTLSConfig ¶
func NewTLSConfig(cert tls.Certificate, caPool *x509.CertPool, clientAuth tls.ClientAuthType) *tls.Config
NewTLSConfig creates a *tls.Config from a certificate and optional CA pool.
func ReadOrSavePassphrase ¶
ReadOrSavePassphrase generates a random passphrase of the specified length and saves it if the file does not exist.
func StringToKey32 ¶
StringToKey32 produces a 32byte slice from the input string using SHA256
func StringToKey32Bytes ¶
StringToKey32Bytes produces a 32byte slice from the input string using SHA256
func ValidateCertificate ¶
func ValidateCertificate(cert tls.Certificate) error
ValidateCertificate checks if the certificate is valid (not expired and not before its valid date).
func WriteCertificate ¶ added in v1.6.0
func WriteCertificate(cert tls.Certificate, certPath, keyPath string) error
WriteCertificate writes the given certificate and key to the specified file paths.
Types ¶
type AesCipher ¶
type AesCipher struct {
Error error
// contains filtered or unexported fields
}
AesCipher is a struct that provides methods for encrypting and decrypting data using AES. It uses the crypto/aes and crypto/cipher packages from the Go standard library.
func NewAesCipher ¶
func NewAesCipher() *AesCipher
NewAesCipher creates a new AesCipher instance with the specified key.
func (*AesCipher) Decrypt ¶
Decrypt uses the specified symmetric key to decrypt the input string using AES
func (*AesCipher) Encrypt ¶
Encrypt uses the specified symmetric key to encrypt the input string using AES
func (*AesCipher) WithAES128 ¶
WithAES128 sets the key size to 128 bits (16 bytes).
func (*AesCipher) WithAES192 ¶
WithAES192 sets the key size to 192 bits (24 bytes).
func (*AesCipher) WithAES256 ¶
WithAES256 sets the key size to 256 bits (32 bytes).
func (*AesCipher) WithPassphrase ¶
WithPassphrase sets the key to the specified byte slice. The key must be either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
type PGPCipher ¶
type PGPCipher struct {
Error error
// contains filtered or unexported fields
}
PGPCipher is a struct that provides methods for encrypting and decrypting data using PGP. It uses the gopenpgp library for PGP operations and supports both public key and passphrase-based encryption.
func NewPGPCipher ¶
NewPGPCipher creates a new PGPCipher instance with the default PGP profile (RFC4880).
func (*PGPCipher) Decrypt ¶
Decrypt decrypts the given ciphertext using the provided private key or passphrase.
func (*PGPCipher) DecryptWithPassword ¶
DecryptWithPassword decrypts the given ciphertext using the provided passphrase. The passphrase must be set using the WithPassphrase method before calling this function.
func (*PGPCipher) DecryptWithPrivateKey ¶
DecryptWithPrivateKey decrypts the given ciphertext using the provided private key. The private key must be set using the WithPrivateKey method before calling this function. When the private key is encrypted, the passphrase must also be set using the WithPassphrase method.
func (*PGPCipher) Encrypt ¶
Encrypt encrypts the given plaintext using the provided public key or passphrase.
func (*PGPCipher) EncryptWithPassword ¶
EncryptWithPassword encrypts the given plaintext using the provided passphrase. The passphrase must be set using the WithPassphrase method before calling this function.
func (*PGPCipher) EncryptWithPublicKey ¶
EncryptWithPublicKey encrypts the given plaintext using the provided public key. The public key must be set using the WithPublicKey method before calling this function.
func (*PGPCipher) GenerateKeyPair ¶
GenerateKeyPair generates a new key pair with the given name and email. To encrypt the private key, a passphrase must be set using the WithPassphrase method.
func (*PGPCipher) GetPrivateKey ¶
GetPrivateKey returns the private key set for the PGPCipher instance.
func (*PGPCipher) GetPublicKey ¶
GetPublicKey returns the public key set for the PGPCipher instance or an error if no public key is set.
func (*PGPCipher) WithPassphrase ¶
WithPassphrase sets the passphrase for the PGPCipher instance.
func (*PGPCipher) WithPrivateKey ¶
WithPrivateKey sets the private key for the PGPCipher instance.
func (*PGPCipher) WithPrivateKeyFromFile ¶
WithPrivateKeyFromFile sets the private key for the PGPCipher instance from a file.
func (*PGPCipher) WithPublicKey ¶
WithPublicKey sets the public key for the PGPCipher instance.
func (*PGPCipher) WithPublicKeyFromFile ¶
WithPublicKeyFromFile sets the public key for the PGPCipher instance from a file.
type RSACipher ¶ added in v1.8.0
type RSACipher struct {
Error error
// contains filtered or unexported fields
}
RSACipher provides RSA encryption, decryption, signing, and verification operations. It supports key sizes from 2048 to 4096 bits and uses SHA-256 for hashing.
func NewRSACipher ¶ added in v1.8.0
func NewRSACipher() *RSACipher
NewRSACipher creates a new RSACipher instance.
func (*RSACipher) Decrypt ¶ added in v1.8.0
Decrypt decrypts data using the private key with OAEP padding.
func (*RSACipher) Encrypt ¶ added in v1.8.0
Encrypt encrypts data using the public key with OAEP padding. This is suitable for encrypting small amounts of data (typically symmetric keys).
func (*RSACipher) ExportPrivateKey ¶ added in v1.8.0
ExportPrivateKey exports the private key as PEM-encoded bytes. If passphrase is provided, the key will be encrypted using PKCS#8 with AES-256-CBC and PBKDF2.
func (*RSACipher) ExportPublicKey ¶ added in v1.8.0
ExportPublicKey exports the public key as PEM-encoded bytes.
func (*RSACipher) GenerateKeyPair ¶ added in v1.8.0
GenerateKeyPair generates a new RSA key pair with the specified bit size. Recommended sizes: 2048, 3072, or 4096 bits. Larger keys are more secure but slower.
func (*RSACipher) GetKeySize ¶ added in v1.8.0
GetKeySize returns the key size in bits.
func (*RSACipher) GetPrivateKey ¶ added in v1.8.0
func (r *RSACipher) GetPrivateKey() *rsa.PrivateKey
GetPrivateKey returns the private key.
func (*RSACipher) GetPublicKey ¶ added in v1.8.0
GetPublicKey returns the public key.
func (*RSACipher) LoadPrivateKey ¶ added in v1.8.0
LoadPrivateKey loads a private key from PEM-encoded bytes. Supports both PKCS#1 and PKCS#8 formats, with optional password protection for PKCS#8.
func (*RSACipher) LoadPrivateKeyFromFile ¶ added in v1.8.0
LoadPrivateKeyFromFile loads a private key from a PEM file.
func (*RSACipher) LoadPublicKey ¶ added in v1.8.0
LoadPublicKey loads a public key from PEM-encoded bytes.
func (*RSACipher) LoadPublicKeyFromFile ¶ added in v1.8.0
LoadPublicKeyFromFile loads a public key from a PEM file.
func (*RSACipher) SavePrivateKey ¶ added in v1.8.0
SavePrivateKey saves the private key to a file.
func (*RSACipher) SavePublicKey ¶ added in v1.8.0
SavePublicKey saves the public key to a file.
Source Files